fileenc-openssl
This code allows one to easily encrypt and decrypt files symmetrically using openssl and python3.
- Uses
aes-256-cbc
for file encryption (as implemented by openssl) - Uses a salt when encrypting (to avoid pre-computation or rainbow tables).
- Uses
sha256
key stretching (with <0.1s) to make brute force prohibitively expensive. - Uses
sha256
checksum to check file integrity.
Installation
You can install using
pip install fileenc-openssl
If you want fileenc
and filedec
available system-wide, use sudo
or equivalent.
Usage
From command line:
fileenc --key 'password123' --input '*.png' --check --overwrite
filedec --key 'password123' --input '*.png.enc' --check --overwrite --remove
# the quotes around wildcards are important
From python:
from fileenc_openssl import stretch_key, encrypt_file, decrypt_file
stretched_key = stretch_key('password123')
enc_pth = encrypt_file(raw_pth, key=stretched_key)
res_pth = decrypt_file(enc_pth, key=stretched_key)
Testing (needs py.test
):
py.test
Options
You can find all options using fileenc --help
:
-h, --help show this help message and exit -k KEY, --key KEY the key to use for encryption; you will be prompted for one if this is not provided (more secure) -i INP, --input INP input file, directory or pattern (as a single string) (.enc will be appended) -o OUTP, --output OUTP optionally, output file or directory (.enc will be stripped if available) -d, --decrypt decrypt the input file(s) (as opposed to encrypt, which is the default) -f, --overwrite overwrite existing files when decrypting (encrypting always overwrites) -r, --remove remove the input file after en/decrypting (after --check) -c, --check test the encryption by reversing it (abort on failure) (only for ENcryption due to salting) -1, --once prompt for the key only once (when encrypting without -k) -j N, --process-count N number of parallel processes to use for en/decryption; `0` for auto (default), `1` for serial
- optional arguments:
-
-h, --help show this help message and exit -k KEY, --key KEY  the key to use for encryption; you will be prompted for one if this is not provided (more secure) -i INP, --input INP  input file, directory or pattern as a single string (required for encrypting; defaults to *.enc when decrypting) -o OUTP, --output OUTP  optionally, output file or directory; .enc will be appended to each file -d, --decrypt decrypt the input file(s) (as opposed to encrypt, which is the default) -f, --overwrite  overwrite existing files when decrypting (encrypting always overwrites) -r, --remove shred the input file after en/decrypting (after --check) -c, --check test the encryption by reversing it (abort on failure) (only for ENcryption due to salting) -1, --once prompt for the key only once (only applicable if --key and --decrypt are not set) -j PROC_CNT, --process-count PROC_CNT  number of parallel processes to use for en/decryption; 0 for auto (default), 1 for serial
License
Revised BSD License; at your own risk, you can mostly do whatever you want with this code, just don't use my name for promotion and do keep the license file.